Security

Security Policy

At GitWatchman, security is our top priority. Learn about the measures we take to protect your data and ensure the integrity of our service.

Last Updated: December 21, 2025

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.

Authentication

Secure OAuth 2.0 authentication via GitHub and Google with JWT token management.

Infrastructure

Hosted on Vercel with automated DDoS protection and edge network security.

Monitoring

24/7 automated monitoring for security threats and anomalous activity detection.

1. Our Security Commitment

GitWatchman is committed to maintaining the highest standards of security for our users. We implement industry best practices and continuously update our security measures to address emerging threats.

Our security practices are designed to protect the confidentiality, integrity, and availability of your data while ensuring compliance with applicable regulations including GDPR and CCPA.

2. Data Protection

2.1 Encryption Standards

In Transit: TLS 1.3 encryption for all data transmitted between your browser and our servers
At Rest: AES-256 encryption for all stored data in our Supabase database
Backups: Encrypted backups with secure key management

2.2 Database Security

Row Level Security (RLS) policies on all user data tables
Principle of least privilege for database access
Regular security audits and penetration testing
Automated backup and disaster recovery procedures

3. Authentication & Access Control

3.1 User Authentication

OAuth 2.0 authentication via GitHub and Google
No password storage - delegated to trusted identity providers
Secure JWT tokens with limited expiration
Automatic session management and secure logout

3.2 Access Controls

Role-based access control (RBAC) for administrative functions
User data isolation - you can only access your own data
API rate limiting to prevent abuse
Privilege escalation prevention through secure role management

4. Infrastructure Security

4.1 Hosting & Network

Hosted on Vercel's secure edge network with global CDN
Automatic DDoS protection and traffic filtering
HTTPS enforced on all connections
Regular security updates and patches applied automatically

4.2 Third-Party Services

We carefully select our service providers based on their security practices:

Supabase: SOC 2 Type II certified, GDPR-compliant database hosting
Vercel: SOC 2 Type II certified, enterprise-grade hosting
GitHub: Industry-leading security for OAuth authentication

5. Monitoring & Incident Response

5.1 Continuous Monitoring

24/7 automated security monitoring
Real-time alerting for suspicious activities
Error tracking and performance monitoring
Regular security log reviews

5.2 Incident Response

In the event of a security incident, we follow a structured response process:

Immediate containment and assessment
Investigation and root cause analysis
User notification within 72 hours if personal data is affected
Remediation and prevention measures
Post-incident review and documentation

6. Vulnerability Reporting

We appreciate the security research community's efforts in helping us maintain a secure service. If you discover a security vulnerability, please report it responsibly.

Report a Vulnerability

Please email security concerns to:

g.argento78@gmail.com

Please include:

Description of the vulnerability
Steps to reproduce
Potential impact assessment
Any suggested fixes (optional)

We commit to acknowledging your report within 48 hours and will keep you informed of our progress. We ask that you do not publicly disclose the vulnerability until we have had a chance to address it.

7. Your Role in Security

Security is a shared responsibility. Here are some steps you can take to help keep your account secure:

Use strong, unique passwords for your GitHub/Google accounts
Enable two-factor authentication (2FA) on your identity provider
Review your authorized applications periodically
Report any suspicious activity immediately
Keep your browser and devices updated
Log out when using shared or public computers

8. Policy Updates

We regularly review and update our security practices. This policy will be updated to reflect any changes. Significant changes will be communicated to users via email.

Stay Informed

For questions about our security practices, contact us at g.argento78@gmail.com

2.1 Encryption Standards

In Transit: TLS 1.3 encryption for all data transmitted between your browser and our servers
At Rest: AES-256 encryption for all stored data in our Supabase database
Backups: Encrypted backups with secure key management

2.2 Database Security

Row Level Security (RLS) policies on all user data tables
Principle of least privilege for database access
Regular security audits and penetration testing
Automated backup and disaster recovery procedures

3. Authentication & Access Control

3.1 User Authentication

OAuth 2.0 authentication via GitHub and Google
No password storage - delegated to trusted identity providers
Secure JWT tokens with limited expiration
Automatic session management and secure logout

3.2 Access Controls

Role-based access control (RBAC) for administrative functions
User data isolation - you can only access your own data
API rate limiting to prevent abuse
Privilege escalation prevention through secure role management

4. Infrastructure Security

4.1 Hosting & Network

Hosted on Vercel's secure edge network with global CDN
Automatic DDoS protection and traffic filtering
HTTPS enforced on all connections
Regular security updates and patches applied automatically

4.2 Third-Party Services

We carefully select our service providers based on their security practices:

Supabase: SOC 2 Type II certified, GDPR-compliant database hosting
Vercel: SOC 2 Type II certified, enterprise-grade hosting
GitHub: Industry-leading security for OAuth authentication

5. Monitoring & Incident Response

5.1 Continuous Monitoring

24/7 automated security monitoring
Real-time alerting for suspicious activities
Error tracking and performance monitoring
Regular security log reviews

5.2 Incident Response

In the event of a security incident, we follow a structured response process:

Immediate containment and assessment
Investigation and root cause analysis
User notification within 72 hours if personal data is affected
Remediation and prevention measures
Post-incident review and documentation

6. Vulnerability Reporting

We appreciate the security research community's efforts in helping us maintain a secure service. If you discover a security vulnerability, please report it responsibly.

Report a Vulnerability

Please email security concerns to:

g.argento78@gmail.com

Please include:

Description of the vulnerability
Steps to reproduce
Potential impact assessment
Any suggested fixes (optional)

We commit to acknowledging your report within 48 hours and will keep you informed of our progress. We ask that you do not publicly disclose the vulnerability until we have had a chance to address it.

7. Your Role in Security

Security is a shared responsibility. Here are some steps you can take to help keep your account secure:

Use strong, unique passwords for your GitHub/Google accounts

Enable two-factor authentication (2FA) on your identity provider

Review your authorized applications periodically

Report any suspicious activity immediately

Keep your browser and devices updated

Log out when using shared or public computers

Security Policy

Encryption

Authentication

Infrastructure

Monitoring

1. Our Security Commitment

2. Data Protection

2.1 Encryption Standards

2.2 Database Security

3. Authentication & Access Control

3.1 User Authentication

3.2 Access Controls

4. Infrastructure Security

4.1 Hosting & Network

4.2 Third-Party Services

5. Monitoring & Incident Response

5.1 Continuous Monitoring

5.2 Incident Response

6. Vulnerability Reporting

Report a Vulnerability

7. Your Role in Security

8. Policy Updates

Stay Informed

Related Legal Documents

Security Policy

Encryption

Authentication

Infrastructure

Monitoring

1. Our Security Commitment

2. Data Protection

2.1 Encryption Standards

2.2 Database Security

3. Authentication & Access Control

3.1 User Authentication

3.2 Access Controls

4. Infrastructure Security

4.1 Hosting & Network

4.2 Third-Party Services

5. Monitoring & Incident Response

5.1 Continuous Monitoring

5.2 Incident Response

6. Vulnerability Reporting

Report a Vulnerability

7. Your Role in Security

8. Policy Updates

Stay Informed

Related Legal Documents